Inspect SSL/TLS Handshakes

Enable the firewall to inspect decrypted SSL/TLS traffic for threats during SSL/TLS handshakes.
Where can I use this?
What do I need?
  • Prisma Access
  • PAN-OS
  • Advanced URL Filtering license
    For Prisma Access, this is usually included with your Prisma Access license.
Inspect SSL/TLS handshakes for potential threats . Examining SSL/TLS handshakes improves network security and optimizes legacy and Advanced URL Filtering subscriptions. When you enable SSL/TLS handshake inspection, Advanced URL Filtering uses data in the handshake to identify the traffic and enforce applicable Security policy rules as early as possible.
Here’s how it works
First, the Client Hello message is scanned for the Server Name Indication (SNI) field, a TLS protocol extension that contains the hostname of a requested website. Then, the URL category and server destination of the traffic is determined from the hostname. Next, traffic is enforced based on its URL category. If a threat is detected, such as a malicious web server in the SNI field, or if a Security policy rule blocks the website, it terminates the handshake and ends the web session immediately. If no threat is detected and the traffic is allowed per policy, the SSL/TLS handshake is completed and application data is exchanged through the secure connection.
URL filtering response pages do not display for sites blocked during SSL/TLS handshake inspections because the firewall resets the HTTPS connection. The connection reset ends SSL/TLS handshakes and prevents user notification by response page. The browser displays a standard connection error message instead.
You can find details of successful SSL/TLS handshakes and sessions in the Traffic and Decryption logs. Details of failed sessions can be found in URL filtering logs; Decryption logs aren’t generated for web sessions blocked during SSL/TLS handshakes.

Recommended For You